3. Risk Management
For an increasing number of banks there may be a strategic reason for engaging in electronic banking and electronic money activities. In addition, greater use of electronic banking and electronic money may increase the efficiency of the banking and payment system, benefiting consumers and merchants. At the same time, as the preceding discussion indicates, there are risks for banks engaging in electronic banking and electronic money activities. Risks must be balanced against benefits; banks must be able to manage and control risks and absorb any related losses if necessary. Risks from electronic banking and electronic money activities should also be evaluated in the context of other risks the bank faces. Even though electronic banking and electronic money activities may represent a relatively small portion of the overall activities of banks currently, supervisors may still require senior management’s assurance that critical systems are not threatened by the risk exposures banks take.
The rapid pace of technological innovation is likely to change the nature and scope of risks banks face in electronic money and electronic banking. Supervisors expect banks to have processes that enable bank management to respond to current risks, and to adjust to new risks. A risk management process that includes the three basic elements of assessing risks, controlling risk exposure, and monitoring risks will help banks and supervisors attain these goals. Banks may employ such a process when committing to new electronic banking and electronic money activities, and as they evaluate existing commitments to these activities.
It is essential that banks have a comprehensive risk management process in place that is subject to appropriate oversight by the board of directors and senior management. As new risks in electronic banking and electronics activitities are identified and assessed, the board and senior management must be kept informed of these changes. Prior to any new activity being commenced, a comprehensive review should be conducted so that senior management can ensure that the risk management process is adequate to assess, control and monmitor any risks arising from the proposed new activity.
3.1 Assessing Risks
Assessing risks is an ongoing process. It typically involves three steps. First a bank may engage in a rigorous analytic process to identify risks and, where possible, to quantify them. In the event risk cannot be quantified, management may still identify how potential risks can arise and the steps it has taken to deal with and limit those risks. Bank management should form a reasonable and defensible judgement of the magnitude of any risk with respect to both the impact it could have on the bank (including the maximum potential impact), and the probability that such an event will occur.
A second step in assessing risk is for the board of directors or senior management to determine the bank's risk tolerance, based on an assessment of the losses the bank can afford to sustain in the event a given problem materialises. Finally, management can compare its risk tolerance with its assessment of the magnitude of a risk to ascertain if the riks exposure fits within the tolerance limits.
3.2. Managing and Controlling Risks
Having made an assessment of risks and its risk tolerance, bank management should take steps to manage and control risks. This phase of a risk management process includes activities such as implementing security policies and measures, co-ordinating internal communication, evaluating and upgrading products and services, implementing measures to ensure that outsourcing risks are controlled and managed, providing disclosures and customer education, and developing contingency plans. Senior management should ensure that staff responsible for enforcing risk limits have authority independent from the busines unit undertaking the electronic banking or electronic money activity. Banks increase their ability to control and manage the various risks inherent in any activity when policies and procedures are set out in written documentation and made available to all relevant staff.
3.2.1 Security Policies And Measures
Security is the combination of systems, applications, and internal controls used to safeguard the integrity, authenticity, and confidentiality of data and operating processes. Proper security relies on the development and implementation of adequate security policies and security measures for processes within the bank, and for communication between the bank and external parties. Security policies and measures can limit the risk of external and internal attacks on electronic banking and eletronic money systems, as well as the reputational risk arising from security breaches.
A security policy states management's intentions to support information security and provides an explanation of the bank's security organisation. It also establishes guidelines that define the bank's security risk tolerance. The policy may define responsibilities for designing, implementing, and enforcing information security measures, and it may establish procedures to evaluate policy compliance, enforce disciplinary measures, and report security violations
Security measures are combinations of hardware and software tools, and personnel management, that contribute to building secure systems and operations. Senior management should regard security as a comprhensive process that is only as strong as the weakest link in the process. Banks can choose from a variety of security measures to prevent or mitigate external and internal attacks and misuse of electronic banking and electronic money. Such measures include, for example, encryption, passwords, firewalls, virus controls, and employee screening. Encryption is the use of cryptographic algorithms to encode clear text data into cipher text to prevent unauthorised observation.8 Passwords, pass phrases, personal identification numbers, hardware-based tokens, and biometrics are techniques for controlling acess and identifying users.
Firewalls are combinations of hardware and software that screen and limit external access to internal systems connected to open networks such as the Internet. Firewalls may also separate segments of internal networks using Internet technology (Intranets). Firewall technology, if properly designed and implemented, can be an effective means of controlling access and safeguarding data confidentiality and integrity. Because this technology is complex to design and can be csotly, its strength and capabilities should be proportionate with the sensitivity of the information being protected. A well-planned design should include enterprise-wide security requirements, clear procedures for operation, separation of duties, and selection of trusted personnel who are responsible for the configuration and operation of the firewall.
Although firewalls screen incoming messages they do not necessarily protect against virus-infected programs downloaded from the Internet. As a consequence, management should develop prevention and detection controls to reduce the chance of virus attack and data destruction, particularly for remote banking. Programmes to mitigate the risk of a virus infection may include network controls, end-user policies, user training, and virus detection software.
Not all security threats are external. Electronic banking and electronic money systems should also be safeguarded, to the extent possible, against unauthorised activities by current and former employees. As with existing banking activities, background checks for new employees, temporary employees, and consultants, as well as internal controls and separation of duties are important precautions to protect system security.
For electronic money, additional security measures may help deter attacks and misuse, including counterfeiting and money laundering.9 Such measures could include on-line interaction with the issuer or a central operator; monitoring and tracing individual transactions; maintenance of cumulative records in a central database; the use of tamper-resistant devices incorporated into stored-value cards and merchant hardware; and the use of value limits and expiration dates on stored-value cards.
3.2.2 Internal Communication
Aspects of operational, reputational, legal, and other risks can be managed and controlled if senior management communicates to key staff how the provision of electronic banking and electronic money is intended to support the overall goals of the bank. At the same time, technical staff should clearly communicate to senior management how systems are designed to work, as well as the strengths and weaknesses of systems. Such procedures can reduce operational risks of poor systems design, including incompatibilty of different systems within a banking organisation; data integrity problems; reputational risk associated with customer dissatisfaction that systems did not work as expected; and credit and liquidity risk.
To ensure adequate internal communication, all policies and procedures should be provided in writing. In addition, senior management should adopt a corporate policy of ongoing education and upgrading of skills and knowledge, consistent with the pace of technological innovation, in order to limit operational risks arising from lack of staff and management expertise. Training may include technical course work, as well as time for staff to keep abreast of important market developments.
3.2.3 Evaluating And Upgrading
Evaluating products and services before they are introduced on a widespread basis can also help limit operational and reputational risks. Testing validates that equipment and systems function properly and produce the desired results. Pilot programs or prototoypes can be helpful in developing new applications. The risk of system slowdowns or disruptions can also be reduced by policies to review the capabilities of existing hardware and software regularly.
3.2.4 Outsourcing
A growing trend in the industry is for banks to focus strategically on core competencies and rely on external parties specialising in activities outside the bank's expertise. While these arrangements may offer benefits such as cost-reduction and economies of scale, outsourcing does not relieve the bank of the ultimate responsibility for controlling risks that affect its operations. Consequently, banks should adopt policies to limit risks arising from reliance on outside service providers. For example, bank management should monitor the operational and financial performance of their service providers; ensure that contractual relations between parties, as well as the expectations and obligations of each party, are clearly understood and are defined in written, enforceable contracts; and maintain a contingency arrangement to change service providers in a prompt manner, if necessary.
Security of the bank's sensitive information is of critical importance. The outsourcing arrangement may require the bank to share sensitive data with service providers. Bank management should evaluate the ability of the service provider to maintain the same level of security as though the activities were conducted in-house, through the review of service providers’ policies and procedures aimed at protecting sensitive data. Additionally, supervisors may wish to have the right to independently assess, when necessary, the competence and the operational and financial performance of the service providers.
3.2.5 Disclosures And Customer Education
Disclosures and customer education may help a bank limit legal and reputational risk. Disclosures and programs to educate customers that address how to use new products and services, fees charged for services and products, and problem and error resolution procedures can help banks comply with customer protection and privacy laws and regulations. Disclosures and explanations about the nature of a bank's relationship to a linked web site may help reduce legal risk to a bank arising form problems with services or products on the linked sites.
3.2.6 Contingency Planning
A bank can limit the risk of disruptions in internal processes or in service or product delivery by developing contingency plans that establish its course of action in the event of a disruption in its provision of electronic banking and electronic money services. The plan may address data recovery, alternative data-processing capabilities, emergency staffing, and customer service support. Backup systems should be tested periodically to ensure their continuing effectiveness. Banks should ensure that their contingency operations are as secure as their normal production operations.
An important aspect of electronic banking and electronic money is the reliance on external entities including hardware vendors, sftware providers, Internet service providers, and telecommunications companies. Bank management may insist that such service providers have backup capabilities. In addition, management may consider compensating actions it can take in the event service providers become impaired. Such plans could include shourt-term contracting with other providers, and a policy decribing how the bank will address customer losses associated with the service disruption. Banks should also consider the advisability of reserving the right to change service providers in a prompt manner if necessary.
Contingency planning may also contribute to limit reputational risk arising from the bank's own actions, or from problems experienced by another institution offering the same or similar electronic banking or electronic money products or services. For example, banks may wish to establish procedures to address customer problems during system disruptions.
8 See Security of Electronic Money, Bank for International Settlements, August 1996, especially section 4.1.2 on cryptography, for a detailed discussion of encryption.
9 A detailed discussion of security measures for electronic money can be found in Security of Electronic Money, Bank for International Settlements, April 1996. That report concluded that a combination of security measures, rather than reliance on any one particular measure, is likely to be most effective in preventing and deterring security problems for electronic money.3.3. Monitoring Risks
Ongoing monitoring is an important aspect of any risk management process. For electronic banking and electronic money activities, monitoring is particularly important both because the nature of the activities are likely to change rapidly as innovations occur, and because of the reliance of some products on the use of open networks such as the Internet. Two important elements of monitoring are system testing and auditing.
3.3.1 System Testing And Surveillance
Testing of systems operations can help detect unusual activity patterns and avert major system problems, disruptions, and attacks. Penetration testing focuses upon the identification, isolation, and confirmation of flaws in the design and implementation of security mechanisms through controlled attempts to penetrate a system outside normal procedures. Surveillance is a form of monitoring in which software and audit applications are used to track activity. In contrast to penetration testing, surveillance focuses on monitoring routine operations, investigating anomalies, and making ongoing judgements regarding the effectiveness of security by testing aherence to security policies.
3.3.2 Auditing
Auditing (internal and external) provides an important independent control mechanism for detecting deficiencies and minimising risks in the provision of electronic banking and electronic money services. The role of an auditor is to ensure that appropriate standards, plocies, and procedures are developed, and that the bank consistently adheres to them. Audit personnel must have sufficient specialised expertise to perform an accurate review. An internal auditor should be separate and independent from employees making risk management decisions. To augment internal audit, management may seek qualified external auditors, such as computer security consultants or other professionals with relevant expertise, to provide an independent assessment of the electronic banking or electronic money activity.
3.4. Management of Cross Border Risks
Cross border risks may be more complex than risks banks face within their home country. Hence, banks and supervisors may need to devote added attention to assessing, controlling, and monitoring operational, reputational, legal and other risks arising from cross border electronic banking and electronic money activities.
Banks that choose to provide services to customers in different national markets will need to understand different national legal requirements, and develop an appreciation for national differences in customer expectations and knowledge of products and services. In addition, senior management should ensure that existing systems for credit extension and liquidity management take into account potential difficulties arising from cross border activities. A bank may need to assess country risk and develop contingency plans that take into account service disruptions due to problems in the economic or political climate abroad. A bank may also face difficulties in enforcing the fulfilment of a foreign service provider’s obligations. In the case of banks relying on service providers located abroad, national supervisors may want to assess the accessibility of information from, and consider the activities of, cross-border service providers on a case- by-case basis.
National supervisors can play an important role by identifying and discussing jurisdictional ambiguities. They can also continue efforts to develop measures to detect unsafe and illegal practices. Finally, national supervisors can continue, and strengthen, cooprative efforts to share information about product and service innovations and industry practices.